A collection of tools, methodologies, and guidelines for Microsoft Windows NT Workstation 4 that network administrators can use to implement policy-based management of Windows NT–based networks. You can use the Zero Administration Kit (ZAK) to
Manage the configuration of users’ desktops from a central location without having to visit each computer. You can specify exactly which applications the user can run, the appearance of the desktop, and where user data will be saved.
Restrict local access to users’ desktops. You can lock down the desktops to prevent users from performing actions that can result in costly help-desk calls, such as installing unapproved applications or modifying critical system files.
Configure applications and data to be stored on network servers. You can achieve improved security by downloading applications from the network, and you can use local hard drives for caching to ensure good performance. This facilitates upgrading of applications and centralized backup.
How It Works
The Zero Administration Kit uses the security of the NTFS file system along with system policies and user profiles. You can use the predefined set of system policies to override the local default settings, and you can use standard user profiles to configure and manage users’ desktops from a central location. The Zero Administration Kit includes the two following preconfigured modes of operation. (Advanced administrators can create other custom network configurations.)
TaskStation Mode: A desktop configuration for a “task-oriented” user such as a bank teller or a data entry person. This mode is ideal for users who require access to only one line-of-business application. TaskStation Mode completely locks down users’ desktops and boots directly into Microsoft Internet Explorer or a specified application. The user has no access to the Microsoft Windows Start button, taskbar, Task Manager, Control Panel, file system, or context menus.
AppStation Mode: A desktop configuration for typical “knowledge workers” who use three or four business applications every day but lack the knowledge and experience to configure or troubleshoot the system or install other applications. This mode provides users with only the applications they need for their jobs via a constrained Windows interface. The user has no access to Task Manager, Control Panel, the file system, or context menus.
TIP
Microsoft TechNet includes a self-paced Hypertext Markup Language (HTML) course called “Implementing the MS Zero Administration Kit for Windows NT Workstation 4.0” (course 979), which is a great resource for learning about how to implement and deploy the Zero Administration Kit.
On the Web
•
Zero Administration Kit home page : http://www.microsoft.com/windows/zak
Also called a zone of authority, a subset of the Domain Name System (DNS) namespace that is managed by a name server. This administrative unit can consist of a single domain, or it can be a domain combined with a number of subdomains. The concepts of a zone and a DNS domain are related: each zone is anchored in a specific domain known as the zone’s root domain.
How It Works
The name server must have a zone file, which contains the mappings between IP addresses and host names for the zone. A name server can manage one or more zones, depending on how it is configured. For example, a name server might have one zone for the domain microsoft.com and another zone for the domain adventure.expedia.com. Depending on how the zone file is configured, a name server might be responsible for
A single domain and all of its subdomains (if any). In this case, the particular name server is said to be authoritative over its entire root domain.
A single domain and a portion of the tree of subdomains beneath it. In this case, other name servers are authoritative over the remaining portion of the tree of subdomains beneath the root domain. You might want to divide a domain into several zones managed by several name servers in order to assign the management of each zone to a different group or to make zone transfers more efficient.
Typically, at least two name servers are responsible for a given zone—a primary name server, which manages the actual zone file, and one or more secondary name servers for redundancy. The primary name server manages a standard primary zone, which is represented by a text file called a zone file. (You can modify this file by using a text editor such as Notepad or by using the Microsoft Windows NT administrative tool called DNS Manager.) Each secondary name server manages a standard secondary zone, which is represented by a read-only zone file that you obtain by copying the primary zone file from the primary name server via a process called zone transfer.
Graphic Z-1. Zones and domains in DNS.
NOTE
In Microsoft Windows 2000–based networks, a zone can take yet a third form, called an Active Directory integrated zone. In this type of zone, the zone information is stored and integrated into Active Directory of Windows 2000 for security purposes and is replicated by using the standard directory replication method used by Windows 2000 domain controllers. DNS in Windows 2000 supports dynamic update to ease the administrative burden of manually maintaining zone files.
See also Domain Name System (DNS)
A file on a name server that contains information that defines the zone that the name server manages. The zone file is a text file consisting of a series of resource records that form the Domain Name System (DNS) database of the name server. These records identify which name server is responsible for a given zone, timing parameters for zone transfers between name servers, IP address to host name mappings for hosts within the domains over which the zone file is authoritative, and so on.
A typical zone file might look something like this:
; Database file microsoft.com.dns for microsoft.com. zone. @ IN SOA dns1.microsoft.com. admin.microsoft.com.( 12 ; serial number 3600 ; refresh 600 ; retry 86400 ; expire 3600 ) ; minimum TTL ; Zone NS records @ IN NS dns1 @ IN NS dns2 ; Zone A records dns1 IN A 192.250.100.10 dns2 IN A 192.250.100.11 proxy1 IN A 192.250.100.101 fred IN A 192.250.100.102 wilma IN A 192.250.100.103 localhost IN A 127.0.0.1 www IN CNAME fred ftp IN CNAME wilma
NOTE
On Microsoft Windows NT–based and Windows 2000–based servers running the DNS Server services (and hence configured to operate as name servers for the network), the names of the zone files are similar to the names of the domains over which they have authority, but they have the .dns extension appended to them. For example, the zone file for the domain microsoft.com would be microsoft.com.dns and would be located in the directory \%SystemRoot%\System32\Dns.
A typical DNS server has at least three zone files:
<root_domain>.dns: The forward lookup zone file that is used to resolve host names into IP addresses for TCP/IP hosts over which the name server has authority. In the preceding example, the root domain is microsoft.com, so the zone file is microsoft.com.dns.
z.y.x.w.in-addr.arpa: The reverse lookup zone file for the forward lookup zone, which is used to resolve IP addresses into host names for TCP/IP hosts over which the name server has authority. In the preceding example, the network ID is 192.250.100.0, so the reverse lookup zone file is 100.250.192.in-addr.arpa.dns.
cache.dns: A standard file that exists on all name servers and contains the host names and IP addresses of name servers on the Internet that maintain the root domain of the entire DNS namespace.
TIP
Windows 2000 gives you the option of integrating DNS with Active Directory. This results in zone data being stored in Active Directory, which has advantages over traditional implementations of DNS in which zone data is stored in text files:
It provides a more efficient mechanism for zone transfers through the domain replication process of Active Directory. This eliminates the chore of manually configuring zone transfers between primary and secondary DNS servers.
It provides additional fault tolerance for the DNS information because all Active Directory integrated zones are primary zones and therefore contain a copy of the zone data.
You should generally use the Windows NT administrative tool called DNS Manager to make changes to zone files on a DNS server running on Windows NT rather than modify these files directly by using a text editor such as Notepad. This will prevent errors from finding their way into the DNS database. Similarly, use the DNS console in Windows 2000 to administer the zone files instead of editing them directly.
See also Domain Name System (DNS), resource record
See zone
The process of transferring information in the zone file on a primary name server to a secondary name server. You would do this in the following situations:
If the primary name server goes down, so that the secondary name server has a complete, up-to-date copy of the zone file and can handle name resolution requests by Domain Name System (DNS) clients on the network.
If a large number of DNS clients on the local network are making name resolution requests, so that you can load balance these requests between the primary name server and its secondary name servers.
If the primary name server is located on the other side of a slow wide area network (WAN) link, so that you can reduce network traffic over the link by allowing name resolution requests to be handled locally. The only network traffic created by DNS is occasional zone transfers over the link.
How It Works
In Microsoft’s implementation of DNS on Microsoft Windows NT, zone transfers occur in three circumstances:
When the Microsoft DNS Server Service is started on the secondary name server.
When the refresh interval for the secondary name server expires—as defined in the start of authority (SOA) record at the beginning of the zone file on the primary name server.
When changes have been made to the zone file on the primary name server and there is a notify list. The primary name server immediately notifies the secondary name server that the zone file has been modified and instructs it to initiate a zone transfer without waiting for the refresh interval to expire. The notify list is a list of IP addresses that specify which secondary name servers are allowed to access zone information on the primary name server for purposes of zone transfer.
A zone transfer is always initiated by the secondary name server. Typically, the secondary name server periodically contacts the primary name server to determine whether any changes have been made to the primary name server’s zone file. If so, it initiates a request for zone transfer. Specifically, when the refresh interval expires on the secondary name server, the following occurs:
The secondary name server requests and receives the SOA record from the primary name server.
The secondary name server compares the version number in the primary name server’s SOA record with its own current version number. If they differ, the secondary name server requests a zone transfer from the primary name server.
In standard DNS operation, the entire zone file is transferred during this process.
Graphic Z-2. Zone transfer in standard DNS on Windows NT.
NOTE
The dynamic update standard supported by Microsoft Windows 2000 allows zone information to be transferred by using updates. The entire contents of the zone file are not sent when a change is made to a resource record in the file. This method is called incremental zone transfer and is defined in Request for Comments (RFC) 1995.
See also Domain Name System (DNS), zone